[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] ebtables tying mac address to ip address problem



Hi all.

I'm trying to tie mac addresses to IP addresses to stop ip and mac spoofing on my xen host running debian5.0 amd64. I've been trying to follow http://archive.netbsd.se/?ml=xen-users&a=2007-11&m=5776600

The DomU's network gets blocked both inward and outward.

I've patched my vif-bridge with the intructions on that page any they seem to be applied correctly.

The network is a simple 10.0.0.0 network with eth0(10.0.0.5) bridge with peth0 as the physical interface.

There are the commands I issued at the start

Paris:~# /sbin/ebtables -N eth0
Paris:~# /sbin/ebtables -A eth0 --log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP
Paris:~# /sbin/ebtables -A INPUT --logical-in eth0 -j eth0
Paris:~# /sbin/ebtables -A FORWARD --logical-in eth0 -j eth0
Paris:~# /sbin/ebtables -P INPUT DROP
Paris:~# /sbin/ebtables -P FORWARD DROP
Paris:~# brctl show
bridge name bridge id    STP enabled  interfaces
eth0    8000.001b24efefac no      peth0
Paris:~# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: FORWARD, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: eth0, entries: 1, policy: ACCEPT
--log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP

#####################################################################

Now i'll start my DomU

Using config file "/xen/dmarkey/intrepid/intrepid".
Started domain intrepid


Now the rules after i start the domain:


Paris:~# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: FORWARD, entries: 2, policy: DROP
--logical-in eth0 -j eth0

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge chain: eth0, entries: 2, policy: ACCEPT
-i vif8.0 -j vif8.0
--log-level notice --log-prefix "eth0" --log-ip --log-arp -j DROP

Bridge chain: vif8.0, entries: 3, policy: ACCEPT
-p IPv4 -s 0:16:3e:c:8f:80 --ip-src 10.0.0.254 -j ACCEPT
-p ARP -s 0:16:3e:c:8f:80 --arp-ip-src 10.0.0.254 --arp-mac-src 0:16:3e:c:8f:80 -j ACCEPT
--log-level notice --log-prefix "vif8.0" --log-ip --log-arp -j DROP


#################################################################################

Log:

[19267.149206] eth0 IN=peth0 OUT=vif8.0 MAC source = 00:e0:81:71:9b:01 MAC dest = 00:16:3e:0c:8f:80 proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC="" ARP IP SRC="" ARP MAC DST=00:16:3e:0c:8f:80  ARP IP DST=10.0.0.254


Anyone any idea what i'm going wrong here? Are those instructions out of date? Sorry im new to ebtables.


Thanks.

David








_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.